<!DOCTYPE html>
<html lang="en">
<head>
	<meta charset="UTF-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
	<title>Security | ElasticSearch 7.7 权威指南中文版</title>
	<meta name="keywords" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <meta name="description" content="ElasticSearch 权威指南中文版, elasticsearch 7, es7, 实时数据分析，实时数据检索" />
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
	<link rel="stylesheet" type="text/css" href="../static/styles.css" />
	<script>
	var _link = 'sql-security.html';
    </script>
</head>
<body>
<div class="main-container">
    <section id="content">
        <div class="content-wrapper">
            <section id="guide" lang="zh_cn">
                <div class="container">
                    <div class="row">
                        <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                            <div style="color:gray; word-break: break-all; font-size:12px;">原英文版地址: <a href="https://www.elastic.co/guide/en/elasticsearch/reference/7.7/sql-security.html" rel="nofollow" target="_blank">https://www.elastic.co/guide/en/elasticsearch/reference/7.7/sql-security.html</a>, 原文档版权归 www.elastic.co 所有<br/>本地英文版地址: <a href="../en/sql-security.html" rel="nofollow" target="_blank">../en/sql-security.html</a></div>
                        <!-- start body -->
                  <div class="page_header">
<strong>重要</strong>: 此版本不会发布额外的bug修复或文档更新。最新信息请参考 <a href="https://www.elastic.co/guide/en/elasticsearch/reference/current/index.html" rel="nofollow">当前版本文档</a>。
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="xpack-sql.html">SQL access</a></span>
»
<span class="breadcrumb-node">Security</span>
</div>
<div class="navheader">
<span class="prev">
<a href="_mapping_concepts_across_sql_and_elasticsearch.html">« Mapping concepts across SQL and Elasticsearch</a>
</span>
<span class="next">
<a href="sql-rest.html">SQL REST API »</a>
</span>
</div>
<div class="chapter xpack">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="sql-security"></a>Security<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/sql/security.asciidoc">edit</a><a class="xpack_tag" href="https://www.elastic.co/subscriptions"></a>
</h2>
</div></div></div>
<p>Elasticsearch SQL integrates with security, if this is enabled on your cluster.
In such a scenario, Elasticsearch SQL supports both security at the transport layer (by encrypting the communication between the consumer and the server) and authentication (for the access layer).</p>
<h4>
<a id="ssl-tls-config"></a>SSL/TLS configuration<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/sql/security.asciidoc">edit</a>
</h4>
<p>In case of an encrypted transport, the SSL/TLS support needs to be enabled in Elasticsearch SQL to properly establish communication with Elasticsearch. This is done by setting the <code class="literal">ssl</code> property to <code class="literal">true</code> or by using the <code class="literal">https</code> prefix in the URL.<br>
Depending on your SSL configuration (whether the certificates are signed by a CA or not, whether they are global at JVM level or just local to one application), might require setting up the <code class="literal">keystore</code> and/or <code class="literal">truststore</code>, that is where the <em>credentials</em> are stored (<code class="literal">keystore</code> - which typically stores private keys and certificates) and how to <em>verify</em> them (<code class="literal">truststore</code> - which typically stores certificates from third party also known as CA - certificate authorities).<br>
Typically (and again, do note that your environment might differ significantly), if the SSL setup for Elasticsearch SQL is not already done at the JVM level, one needs to setup the keystore if the Elasticsearch SQL security requires client authentication (PKI - Public Key Infrastructure), and setup <code class="literal">truststore</code> if SSL is enabled.</p>
<h4>
<a id="_authentication"></a>Authentication<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/sql/security.asciidoc">edit</a>
</h4>
<p>The authentication support in Elasticsearch SQL is of two types:</p>
<div class="variablelist">
<dl class="variablelist">
<dt>
<span class="term">
Username/Password
</span>
</dt>
<dd>
Set these through <code class="literal">user</code> and <code class="literal">password</code> properties.
</dd>
<dt>
<span class="term">
PKI/X.509
</span>
</dt>
<dd>
Use X.509 certificates to authenticate Elasticsearch SQL to Elasticsearch. For this, one would need to setup the <code class="literal">keystore</code> containing the private key and certificate to the appropriate user (configured in Elasticsearch) and the <code class="literal">truststore</code> with the CA certificate used to sign the SSL/TLS certificates in the Elasticsearch cluster. That is, one should setup the key to authenticate Elasticsearch SQL and also to verify that is the right one. To do so, one should set the <code class="literal">ssl.keystore.location</code> and <code class="literal">ssl.truststore.location</code> properties to indicate the <code class="literal">keystore</code> and <code class="literal">truststore</code> to use. It is recommended to have these secured through a password in which case <code class="literal">ssl.keystore.pass</code> and <code class="literal">ssl.truststore.pass</code> properties are required.
</dd>
</dl>
</div>
<h4>
<a id="sql-security-permissions"></a>Permissions (server-side)<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/docs/reference/sql/security.asciidoc">edit</a>
</h4>
<p>Lastly, one the server one need to add a few permissions to
users so they can run SQL. To run SQL a user needs <code class="literal">read</code> and
<code class="literal">indices:admin/get</code> permissions at minimum while some parts of
the API require <code class="literal">cluster:monitor/main</code>.</p>
<p>The following example configures a role that can run SQL in JDBC querying the <code class="literal">test</code> and <code class="literal">bort</code>
indices:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">cli_or_drivers_minimal:
  cluster:
    - "cluster:monitor/main"
  indices:
    - names: test
      privileges: [read, "indices:admin/get"]
    - names: bort
      privileges: [read, "indices:admin/get"]</pre>
</div>
</div>
<div class="navfooter">
<span class="prev">
<a href="_mapping_concepts_across_sql_and_elasticsearch.html">« Mapping concepts across SQL and Elasticsearch</a>
</span>
<span class="next">
<a href="sql-rest.html">SQL REST API »</a>
</span>
</div>
</div>

                  <!-- end body -->
                        </div>
                        <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                        
                        </div>
                    </div>
                </div>
            </section>
        </div>
    </section>
</div>
<script src="../static/cn.js"></script>
</body>
</html>